Permit outbound management#
As discussed in Azure.NSG.LateralTraversal, outbound management traffic is expected from some subnets. Subnets that are expected allow outbound management traffic may include:
- Privileged access workstations (PAWs)
- Bastion hosts
- Jump boxes
As a result, you may want to suppress the Azure.NSG.LateralTraversal rule on NSGs for these special cases.
This topic provides an example you can use to configure PSRule to ignore special case NSGs.
Create a suppression group#
.ps-rule sub-directory create a file called
.ps-rule sub-directory does not exist, create it in the root of your repository.
Use the following snippet to populate the suppression group:
--- # Synopsis: Ignore NSG lateral movement for management subnet NSGs such as Azure Bastion. apiVersion: github.com/microsoft/PSRule/v1 kind: SuppressionGroup metadata: name: Org.Azure.PermitOutboundManagement spec: rule: - PSRule.Rules.Azure\Azure.NSG.LateralTraversal if: allOf: - type: '.' in: - Microsoft.Network/networkSecurityGroups # Suppress NSGs with bastion or management in thier name - name: '.' contains: - bastion - management
Some key points to call out with the suppression group snippet include:
- The name of the suppression group is
Org.Azure.PermitOutboundManagement. Each resource name must be unique.
- The suppression group applies to:
- The rule
- Run against NSGs with the type
- When the name of the NSG contains
management. The suppression group uses expressions to determine when a resource is suppressed. Update this condition to match your environment. For example, the following NSGs would be suppressed by this suppression group:
- The rule
- The synopsis comment above the suppression group is included in output as the explaination for the suppression.
Expressions can be combined within a suppression group using